Corporate espionage — sometimes also called industrial espionage, economic espionage or corporate spying — is the practice of using espionage techniques for commercial or financial purposes. We usually think of "espionage" in terms of spies working on behalf of one government trying to get information about another. But in fact, many of the same techniques — and even many of the same spies — work in both realms.

Types of industrial espionage

Trespassing onto a competitor's property or accessing their files without permission

Posing as a competitor's employee in order to learn company trade secrets or other confidential information

Wiretapping a competitor

Hacking into a competitor's computers

Attacking a competitor's website with malware

But not all corporate espionage is so dramatic. Much of it can take the simple form of an insider transferring trade secrets from one company to another — a disgruntled employee, for instance, or an employee who has been hired away by a competitor and takes information with them that they shouldn't.

Then there's competitive intelligence— which is, to put it in infosec terms, the white hat hacking of corporate espionage. Competitive intelligence companies say they're legal and above board, and gather and analyze information that's largely public that will affect their clients' fortunes: mergers and acquisitions, new government regulations, chatter on blogs and social media, and so forth. They might research the background of a rival executive — not to dig up dirt, they say, but to try to understand their motivations and predict their behavior. That's the theory, anyway, though sometimes, as we'll see, the line separating these operators from criminality can be thin.

It's also worth noting here that not all corporate espionage involves private businesses spying on other private businesses. Governments get into the game too — especially in countries where many businesses are state-owned and the regime views economic development as an important national goal. As a result, other governments find themselves drawn in to various degrees as well; one of the main motivations President Trump has given for escalating a trade war with China has been to fight against Chinese theft of American trade secrets. When state actors are involved in the process, the specific term often used is economic espionage.

Is industrial espionage a crime?

Many people are under the impression that spying on a private company isn't illegal the way that spying on, say, a foreign country is. And it's true that it's not illegal to obtain information about competitors via legal means, even if those means are secretive or deceptive. For instance, you can send "secret shoppers" into a rival's store to see how they do business, or hire a private investigator to lurk around a trade show and see what they can overhear.

But beyond that, things get legally trickier. In general, acquiring trade secrets (commercial secrets that have monetary value to the businesses that owns them) without the consent of their owners is against the law.

The scope of the criminal activity, including evidence of involvement by a foreign government, foreign agent, or foreign instrumentality

The degree of economic injury to the trade secret owner

The type of trade secret misappropriated

The effectiveness of available civil remedies

The potential deterrent value of the prosecution

But just because an act doesn't merit prosecution doesn't make it legal, and violations can serve as the basis for lawsuits in civil court. And finally, many U.S. states have their own laws about corporate espionage that are stricter than federal law; the Hewlett-Packard "pretexting" case (more on which in a moment) involved conduct that wasn't illegal under U.S. federal law but was in California, and resulted in a $14 million fine.

A corporate espionage case study

Security vendor Securonix has made available a great case study of a typical act of corporate espionage. Two people who had been classmates in a Ph.D. program at the University of Southern California (USC) went to work for U.S. tech companies and slowly and methodically exfiltrated data over several years to collaborators in China, with the intent of setting up their own company there with the stolen intellectual property. Securonix lays out the methods used and what the attackers did right — and wrong.

Corporate and industrial espionage examples

One of the truths about corporate espionage is that most cases go unreported, even if the victims learn about it. That's because the harm to the victim's reputation if it's revealed that they haven't done their security due diligence may outweigh the benefit of taking legal action against their attacker. Nevertheless, there have been many high-profile cases of corporate espionage, particularly in the tech industry, where ideas and code are all-important and easily pasted into an email.

The runaway VP. Danny Rogers, CEO and Founder of the dark web data intelligence startup Terbium Labs, told CSOonline that he once worked at a small company where the VP of engineering left and took all the company data and files with him to go to a larger competitor. That competitor then tried to out-compete the company for a contract. Ultimately, the police got involved, the person was prosecuted, and then went to prison.

HP's civil war. One of the highest-profile industrial espionage cases of the '00s involved Hewlett-Packard spying on ... itself. Desperate to figure out who was leaking damaging information to the press, the company hired multiple PI agencies to spy on their own board members, who in turn gathered the targets' phone records via "pretexting" — essentially, contacting phone companies and bluffing them into believing that you're the owner of the phone account you're looking to get information about. It's a criminal act in California, and the saga ended the careers of several HP execs.

Battle of the blades. In 1997, Steven L. Davis was a process controls engineer for Wright Industries Inc., a subcontractor for Gillette, and had just been demoted to a lower role in the company's Mach 3 project. Angry at what he saw as an attack on his career, he decided to get even by sending trade secrets about the Mach 3 project, unsolicited and without any request for cash, to multiple Gillette rivals. Honorably, Schick immediately reported the act back to Gillette, who got the FBI involved, and Davis ended up going to prison for more than two years.

A trashy investigation. In 2000, Microsoft was in the midst of battling an anti-trust suit from the U.S. federal government, and Larry Ellison, CEO of Oracle, suspected that two supposedly independent research organizations that were releasing pro-Microsoft reports, the Independent Institute and the National Taxpayers Union, were secretly on Redmond's payroll. After getting caught paying investigators to acquire the groups' garbage, Ellison claimed Oracle was just doing its "civic duty" to help the government's case, and offered to send his own company's trash to Microsoft HQ in the interest of full transparency.

Not very hospitable. In 2010, two huge hotel chains, Hilton Worldwide and Starwood Resorts & Hotels, resolved a legal dispute over industrial espionagein a way that demonstrates how steep the penalties can be even if criminal prosecution isn't pursued. The scandal arose when Hilton, trying to replicate the success of Starwood's W brand of "lifestyle hotels," hired away two Starwood execs, who took trade secrets with them. In the ensuing legal agreement, Hilton agreed to pay Starwood $75 million in cash, offer them another $75 million in hotel management contracts, not open any lifestyle hotel brands for two years, and submit to being "baby sat" by court appointed monitors to ensure compliance.

Corporate espionage jobs

If the world of corporate espionage sounds exciting to you, you might want to take a look at SCIP, the trade organization for competitive intelligence professionals. They can connect you with resources and other information.

As to how you break into the field: well, many of the people working in corporate espionage got their start on the government side of spy work. In fact, so many are former CIA and FBI agents, using the skills they've acquired with Uncle Sam to protect or further the cause of private companies that some have questioned whether U.S. taxpayers are subsidizing corporate skullduggery.

Corporate espionage companies

Big corporations often maintain their own internal competitive intelligence departments, with in-house analysts trying to keep a leg up on the competition. Some of the biggest spenders are in the pharmaceutical business; more than a quarter of pharma companies spend north of $2 million a year on competitive intelligence. But just about any big company will spend money on counterintelligence measures; after Nasim Najafi Aghdam tried to attack YouTube headquarters in 2018, a Google exec toldVanity Fairthat she had been serendipitously prevented from entering the building by security measures that had actually been put in place to protect data.

Corporate espionage movies

Looking to see industrial espionage on the big screen? One of the biggest hit films on the subject of recent years is Inception, which features consultants attempting to acquire corporate secrets. Of course, there's the small matter of the methods they used — invading their subjects' dreams — that isn't quite realistic.

For a somewhat more down-to-earth take, you might want to check out Duplicity, an underrated 2009 caper film starring Julia Roberts and Clive Owen, which in addition to not involving sci-fi dreamscapes has the added realistic bonus of making its two stars ex-spies for the CIA and MI-6 who then go into corporate intelligence.

Latest Videos

Hear from Invictus Games Sydney 2019 CEO, Patrick Kidd OBE and Head of Technology, @James-d-smith -share their insights on how they partnered with Unisys to protect critical data over an open, public WiFi solution.

With so much change all the time, how can executives best prepare their businesses to meet the security challenges of the coming years? CSO Australia, in conjunction with Mimecast, explored this question in an interactive Webinar that looks at how the threat landscape has evolved – and what we can expect in 2019 and beyond.

According to new research conducted by the Ponemon Institute, Australia and New Zealand have the highest levels of data breaches out of the nine countries investigated. This was linked to heavy investment in security detection and an under-investment in security and vulnerability response capabilities

Copyright 2019 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.